Experts Debate How Hackers Stole 40 Million Card Numbers from Target

Massive Data Breach Renews Call for Adoption of Chip-based Payment Cards in The United States...

While US retail giant Target has not provided any details as to how thieves stole payment card details for approximately 40 million customers, security experts are focusing on how point-of-sales (POS) systems can be compromised. Experts are also renewing calls for credit card issuers in the United States to switch to a chip-based credit or debit cards for better security.

Target “has tried to do 'everything right' as far as I can tell, yet the theft still occurred,” Avivah Litan, a distinguished analyst at research firm Gartner, wrote on the Gartner blog.

Target said a forensic investigation was underway, but experts warned it would likely be months before any details about the breach would be available. Even so, organizations can still draw lessons from this data breach by considering various attack scenarios such as card readers which have been tampered with, POS systems infected with malware, and insider threats. The breach is also a good reminder that it is long past time for American companies to adopt the more secure chip-based credit cards rather than relying on magnetic stripes.

Attack Details

As SecurityWeekreported earlier, Target confirmed credit and debit card information for approximately 40 million customers who shopped at one of its brick-and-mortar stores from Nov. 27 to Dec. 15 were compromised. The attack appears to be geographically widespread and not limited to a handful of stores or a geographic area, according to the report from security writer Brian Krebs. Shoppers who bought something via Target's online store during this time period appear to be unaffected by the breach.

Many merchants and POS terminals don't have some of the basic security measures required by PCI DSS, said Bala Venkat, the chief marketing officer for Cenzic. The PCI Council even included new rules for securing POS terminals in the version 3.0, unveiled early November. Being PCI compliant is also not just a once-a-year affair but require constant vigilance. The PCI Council recommends implementing a continuous monitoring system to ensure organizations don't drift out of compliance.

In the case of Target, however, the retailer most likely had spent “a small fortune” on security controls and business processes and was PCI compliant, said Litan. Target likely encrypted payment card details, took steps to store and transfer the data securely, and regularly monitored business processes to ensure there were no problems, to name just a few of the things covered under PCI-DSS.

So how, then, did the attackers breach Target?

Malicious Insiders?

Krebs suggested in his analysis that attackers targeted POS terminals in multiple stores. This can mean a widespread malware infection, card readers that have been tampered with, or hacking the payment application via improperly configured remote access tools.

Regardless of the entry point, attackers likely had help compromising enough POS systems to carry out this attack.

“It's actually quite impressive that someone was able to distribute the infected software out to that many POS terminals,” said Hord Tipton, the executive director of International Information Systems Security Certification Consortium. “Someone on the inside probably helped here,” he added.

Litan said she wouldn't be surprised if it turned out that “Target did a great job protecting their systems from external intruders but dropped the ball when it came to securing insider access.”

For example, there is no reason such large volumes of data could be accessible by one user or process, said James Lyne, global head of security research at Sophos. There should have been processes and controls in place to detect attempts to export this much data and to block the user from succeeding, he said.

Not an Attack on POS Systems

It's possible the attackers didn't touch the POS systems at all. Litan speculated the attackers may have targeted Target's switching system for authorization and settlement. She said she would be “very surprised if the breach occurred because malware was installed on POS devices or in local store systems.”

Alternatively, the attackers may have targeted a system between the POS terminal and the credit card processor, said Lucas Zaichkowsky, an enterprise defense architect at AccessData who has worked for a credit card processor in the past. Many retailers with multiple locations first aggregate all the data collected by the POS systems at individual stores at a centralized corporate location before sending the information on to a credit card processor, he said. It would be easier for the attackers to hack their way to this central location instead of individual POS systems, he said.

One way to protect payment data from attackers is to use point-to-point encryption, where the data is encrypted on the hardware level at the point of scanning, suggested Mark Bower, vice-president of product management at Voltage Security. This ensures the malware on the POS terminal or the attacker hacking into a different system can't use the encrypted data, and has “nothing to steal,” Bower said.

Target, which has confirmed it is working with the United States Secret Service and the Department of Justice to investigate the incident,confirmed on Dec. 27 that encrypted PIN data from card transactions was accessed by hackers.

Outdated Technology

It remains to be seen what kind of impact this breach and the increasing number of malware targeting ATMs and POS terminals will have on the payment card industry. Banks and credit card issuers in the United States stubbornly cling to “outdated magnetic strip credit card technology” to store data instead of moving to the more secure smart-chip technology, Tipton said. The smart chip technology encrypts the data stored on the card differently every time it is swiped, making it harder for criminals to use stolen card details.

“It's time for the U.S. card industry to move to chips/smart cards and stop expecting retailers to patch an insecure payment card system,” Litan said.

Chip-based cards are ubiquitous in Europe and other parts of the world. Visa and MasterCard have set October 2015 as the deadline for new chip card standards in the U.S. It's not clear if the rise in attacks against retailers will speed up the timeline.

With the magnetic strip, any person, such as a waiter or cashier, could write down and compromise a persons credit card information because it is stored in plain text, said Matt Standart, a research director at HBGary. The industry needs to rethink the technology so that card readers and POS systems are no longer an attack entry point, he said.

“Whether this was a software breach, a phishing scam, an insider attack or something else, there's one thing that's for certain: there will be some major lessons learned once details on the investigation finally trickle out and Target has paid millions to recover," Tipton said.

*Updated to reflect confirmation that encyrpyted PIN data was accessed by attackers.

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.